+Changes to squid-4.0.10 (06 May 2016):
+
+ - Accumulate fewer unknown-size responses to avoid overwhelming disks.
+ - Fix shared memory corruption when storing multi-slot (>32KB) shm misses.
+ - ... and some documentation and code cleanup
+ - ... and all fixes from 3.5.18
+
+Changes to squid-4.0.9 (20 Apr 2016):
+
+ - Bug 4405: assertion failed: comm.cc:554: "Comm::IsConnOpen(conn)"
+ - Add a new error page token for unquoted external ACL messages.
+ - Stop parsing response prefix after discovering an "HTTP/0.9" response.
+ - ... and some documentation updates
+ - ... and some code polishing
+ - ... and all fixes from 3.5.17
+
+Changes to squid-4.0.8 (02 Apr 2016):
+
+ - Bug 4459: FHS compliance: move netdb.state and ssl_db to /var/cache/squid
+ - Bug 4458: Behaviour change with external ACL arguments
+ - Bug 4450: wait() related cleanup
+ - Bug 4438: SIGSEGV in memFreeString() destructing SBuf globals on shutdown/restart
+ - Bug 4312: Support disabling collapsed forwarding SMP cooperation
+ - Bug 3826: SMP compatibility with systemd and --foreground option
+ - Bug 1979: Add ACL-driven server_pconn_for_nonretriable squid.conf directive
+ - Bug 7 (partial): Update cached entries on 304 responses
+ - Add reply_header_add directive
+ - HTTP/1.1: Do not prohibit updating Last-Modified on 304 responses
+ - Fix memory leaks of lastAclData and AccessLogentry::url
+ - Fix clang -Winconsistent-missing-override warning
+ - Tests: update test suite for GnuTLS
+ - ... and some documentation updates
+ - ... and some code cleanup and polishing
+ - ... and all fixes from squid 3.5.16
+
+Changes to squid-4.0.7 (23 Feb 2016):
+
+ - Regression Fix: external_acl parameters separated by %20 instead of space
+ - Bug 4432: assertion failed: store.cc:1919: "isEmpty()"
+ - Bug 4111: leave_suid() does not properly handle error codes returned by setuid
+ - Fix propagation of response status line parsing error details
+ - Fix memory leak when the cache of sslcrtvalidator_program is disabled via ttl=0
+ - ... and some code SourceLayout project cleaning
+ - ... and all fixes from squid 3.5.15
+
+Changes to squid-4.0.6 (16 Feb 2016):
+
+ - Regression Bug 4436: Fix DEFAULT_SSL_CRTD
+ - Fix "dial: Ssl::PeerConnector::sslCrtvdHandleReply threw exception: callback != NULL"
+ - ... and some documentation updates
+ - ... and all fixes from squid 3.5.14
+
+Changes to squid-4.0.5 (09 Feb 2016):
+
+ - Regression Bug 4429: http(s)_port options= error message missing characters
+ - Regression Bug 4410: 4.0.4 compile error in basic_ncsa_auth
+ - Regression Bug 4403: helper compile errors after 4.0.4 rev.14454
+ - Regression Bug 4401: compile error on Solaris
+ - Regression Fix: TLS/SSL flags parsing
+ - Regression Fix: cert validadator always disabled in 4.x
+ - Regression Fix: Name-only note ACL stopped matching after 4.0.4 rev.14465 (note -m)
+ - Regression Fix: external_acl problems after 4.0.1 rev.14351
+ - Bug 4409 (partial): compile error when two Heimdal libraries are installed
+ - Bug 4005: Dynamic certificate cache exceeds dynamic_cert_mem_cache_size
+ - SMP: Fix cleanup of a shared memory segment in an unusual configuration
+ - SSL-Bump: Fix step3 splicing.
+ - Add connections_encrypted ACL
+ - Make %<a and %<p details available to [eCAP] RESPMOD services
+ - Rename cert_valid.pl to security_fake_certverify
+ - Rename ssl_crtd helper to security_file_certgen
+ - ... and a lot of code SourceLayout project cleaning
+ - ... and some documentation updates
+ - ... and all fixes from squid 3.5.13 up to rev.13979
+
+Changes to squid-4.0.4 (06 Jan 2016):
+
+ - Regression Bug 4393: compile fails on OS X
+ - Bug 4392: assertion CbcPointer.h:159: 'c' via tunnelServerClosed or tunnelClientClosed
+ - Support use of Kerberos credentials cache instead of keytab
+ - Support logging of TLS Cryptography Parameters
+ - Support substring matching in Note ACL
+ - ... and some code cleanup and polishing
+ - ... and all fixes from squid 3.5.13
+
+Changes to squid-4.0.3 (28 Nov 2015):
+
+ - Bug 4372: missing template files
+ - Bug 4371: compile errors: no such file or directory: DiskIO/*/*DiskIOModule.o
+ - Bug 4368: A simpler and more robust HTTP request line parser
+ - Fix compile erorr on clang undefined reference to '__atomic_load_8'
+ - ext_kerberos_ldap_group_acl: Add missing workarounds for Heimdal Kerberos
+ - ext_ldap_group_acl: Allow unlimited LDAP search filter
+ - ext_unix_group_acl: Support -r parameter to strip @REALM from usernames
+ - ... and much code cleanup and polishing
+ - ... and all fixes from squid 3.5.12
+
+Changes to squid-4.0.2 (01 Nov 2015):
+
+ - Regression Bug 4351: compile errors when authentication modules disabled
+ - Regression fix: HTTP/1.1 Transfer-Encoding:chunked parsing
+ - Bug 4359: assertion failure 'Comm::IsConnOpen(conn)' within ConnStateData::requestTimeout
+ - Bug 4356: segmentation fault using proxy_auth ACL
+ - Bug 4352: compile errors in OS X 10.11
+ - Bug 4021: ext_user_regex does exact match
+ - Bug 3574: avoid crashes, prohibit reconfiguration during shutdown
+ - Support re-assigning delay pools based on HTTP reply details
+ - ... and all fixes from squid 3.5.11
+
+Changes to squid-4.0.1 (14 Oct 2015):
+
+ - Bug 4329: GCC 5.2 no known conversion for argument
+ - Bug 4292: negotiate_wrapper: Unreleased Resources
+ - Bug 4269: ignore-must-revalidate broken
+ - Bug 4190: assertion 'hash_remove_link' from Auth::User::cacheCleanup
+ - Bug 3920: Splay::remove() reference counting inconsistent
+ - Bug 3069: CONNECT method bytes sent logging
+ - Bug 2741 partial: libsecurity API for GnuTLS support
+ - Bug 1961 partial: redesign of URL handling
+ - Fix crash when parsing invalid squid.conf
+ - Fix eCAP: Return 'unknown body size' for bodies with unknown body sizes
+ - Remove unused OS detection: Sun, SysV, Ultrix, BSDi
+ - Remove cache_peer_domain directive
+ - RFC 6176 compliance: Remove SSLv2 support
+ - HTTP/1.1: Remove refresh_pattern ignore-auth and ignore-must-revalidate
+ - Remove GCC 2.x and 3.x detection and support
+ - C++11 compiler support is now mandatory
+ - Enable flexible transport protocol
+ - Enable long (--foo) command line parameters on squid binary
+ - Add per-rule refresh_pattern matching statistics
+ - Replace sslversion=N with tls-min-version=1.N
+ - Replace sslproxy_* directives with tls_outgoing_options
+ - Replace GNU atomics and related hacks with C++11 std::atomic
+ - Replace external_acl_type format %macros with logformat codes
+ - Support Secure ICAP services
+ - Support rotate=N option on access_log
+ - Support bypass for non-HTTP intercepted traffic (on_unsupported_protocol)
+ - Support lifetime timeout for persistent connections (pconn_lifetime)
+ - Support timeout for URL-rewrite helper lookups (url_rewrite_timeout)
+ - Support logging fast things (nanosecond log resolution)
+ - Support ICAP/eCAP adaptation for 100-continue responses
+ - Support configurable helper queue size, with consistent defaults
+ and better overflow handling.
+ - Support named service PID file by default (pid_filename)
+ - url_lfs_rewrite: Add URL-rewriter based on local file existence
+ - negotiate_kerberos_auth: output group= kv-pair
+ - helper-mux: add man(8) page
+ - purge: convert README to man(1) page
+ - basic_msnt_multi_domain_auth: Superceeded by basic_smb_lm_auth
+ - basic_sspi_auth: fix MinGW compile errors
+ - negotiate_sspi_auth: fix various build errors
+ - Crypto-NG: libnettle Base64 algorithm support
+ - Parser-NG: HTTP Parser structural redesign
+ - libltdl: copyright updated to LGPL version 2.1
+ - ... and several performance optimizations
+ - ... and many documentation changes
+ - ... and much code cleanup and polishing
+
+Changes to squid-3.5.18 (06 May 2016):
+
+ - Bug 4510: stale comment about 32KB limit on shared memory cache entries
+ - Bug 4509: EUI compile error on NetBSD
+ - Bug 4501: HTTP/1.1: normalize Host header
+ - Bug 4498: URL-unescape the login-info after extraction from URI
+ - Bug 4455: SegFault from ESIInclude::Start
+ - Prevent Squid forcing -b 2048 into the arguments for sslcrtd_program
+ - Fix TLS/SSL server handshake alert handling
+
+Changes to squid-3.5.17 (20 Apr 2016):
+
+ - Regression Bug 4480: logformat [.width_max]
+ - Regression Bug 4481: varyEvaluateMatch: Oops. Not a Vary match on second attempt
+ - Bug 4495: Unknown SSL option SSL_OP_NO_TICKET
+ - Bug 4493: theObject->sharedMemorySize() == theSegment.size() exception
+ - Bug 4483: ./configure garbles -Og option in CFLAGS
+ - Bug 4482: Solaris GCC 5.2 warning in src/ip/Intercept.cc
+ - Bug 4468: NotNode (!acl) naming: Terminate the name before strncat(name).
+ - Bug 4465: Header forgery detection leads to crash
+ - Bug 2460 partial: workaround deferred reads on shutdown and restart
+ - cachemgr.cgi: use dynamic MemBuf for internal content generation
+ - ESI: Fix several element construction issues
+ - TLS: Fix Handshake Error: ccs received early
+ - TLS: Add chained and signing cert to peek-then-bumped connections
+ - Fix some startup/shutdown crashes
+
+Changes to squid-3.5.16 (02 Apr 2016):
+
+ - Bug 4476: Removed duplicated #include lines
+ - Bug 4452: squid -z segfaults with ufs
+ - Bug 4447:FwdState.cc:447 "serverConnection() == conn" assertion
+ - Bug 4423: adding stdio: prefix to cache_log directive produces FATAL error
+ - Bug 4409: compile error when two Heimdal libraries are installed
+ - Bug 2831: Cache-control: max-age not sent on TCP_IMS_HIT/304
+ - pinger: Fix buffer overflow in Icmp6::Recv
+ - pinger: Fix select(2) to actually use max_fd
+ - pinger: drop capabilities on Linux
+ - Fix memory leak of HttpRequest objects
+ - Fix memory leak when the cache of sslcrtvalidator_program is disabled via ttl=0
+ - Fix assertion failed: Write.cc:41: "!ccb->active()"
+ - Fix crash on shutdown while cleaning up idle ICAP connections
+ - RFC 7725: Add registry entry for 451 status text
+ - ... and some build issues
+
+Changes to squid-3.5.15 (23 Feb 2016):
+
+ - Bug 3870: assertion failed: String.cc: 'len_ + len <65536' in ESI::CustomParser
+ - Fix multiple assertion on String overflows
+ - Fix unit test errors on MacOS
+ - Better handling of huge response headers. Fewer incorrect "Bug #3279" messages.
+ - Log noise reduction for eCAP
+
+Changes to squid-3.5.14 (16 Feb 2016):
+
+ - Bug 4437: Fix Segfault on Certain SSL Handshake Errors
+ - Bug 4431: C code is not compiled with CFLAGS
+ - Bug 4418: FlexibleArray compile error with GCC 6
+ - Bug 4378: assertion failed: DestinationIp.cc:60:
+ 'checklist->conn() && checklist->conn()->clientConnection != NULL'
+ - Fix invalid FTP connection handling on blocked content
+ - Fix handling of shared memory left over by Squid crashes or bugs
+ - Fix mgr:config report 'qos_flows mark' output
+ - Fix compile error in CPU affinity
+ - Fix %un logging external ACL username
+ - Avoid more certificate validation memory leaks
+ - ... and some documentation updates
+
+Changes to squid-3.5.13 (06 Jan 2016):
+
+ - Bug 4397: DragonFly BSD, POSIX shared memory is implemented as filepath
+ - Bug 4387: Kerberos build errors on Solaris
+ - TLS: Support Ephemeral Elliptic Curve Diffie-Hellman (EECDH) key exchange
+ - TLS: Complete certificate chains using external intermediate certificates
+ - Avoid memory leaks when an X.509 certificate validator is used with SslBump
+ - Fix connection retry and fallback after failed server TLS connections
+ - Fix GnuTLS detection via pkg-config
+ - Fix startup crash with a misconfigured (too-small) shared memory cache
+ - ... and some documentation updates
+
+Changes to squid-3.5.12 (28 Nov 2015):
+
+ - Bug 4374: refresh_pattern config parser (%)
+ - Bug 4373: assertion 'calloutContext->redirect_state == REDIRECT_NONE'
+ - Bug 4228: links with krb5 libs despite --without options
+ - Fix SSL_get_certificate() problem detection
+ - Fix TLS handshake problem during Renegotiation
+ - Fix cache_peer forceddomain= in CONNECT
+ - Fix status code-based HTTP reason phrase for eCAP-generated messages
+ - Fix build errors in cpuafinity.cc
+ - ... and several documentation updates
+
+Changes to squid-3.5.11 (01 Nov 2015):
+
+ - Bug 3574: crashes on reconfigure and startup
+ - Bug 4347: compile errors with LibreSSL 2.3
+ - Bug 4281: copy-paste typos in src/tools.cc
+ - Bug 4279: No response from proxy for FTP-download of non-existing file
+ - Bug 4188: Bumping intercepted SSL connections does not work on Solaris
+ - Fix incorrect authentication headers on cache digest requests
+ - Fix connection stats, including %<lp, missing for persistent connections
+ - Fix invalid memory access issues in SBuf
+ - Avoid errors when parsing manager ACL in old squid.conf
+
+Changes to squid-3.5.10 (01 Oct 2015):
+
+ - Regression Fix cache_peer login=PASS(THRU) after CVE-2015-5400
+ - Regression Bug 4326: base64 binary encoder rejects data beginning with nil byte
+ - Bug 4323: Netfilter broken cross-includes with Linux 4.2
+ - Bug 4328: %un format code does not work for external ACLs in credentials-fetching rules
+ - Bug 4208: more than one port in wccp2_service_info line causes error
+ - Bug 4303: PeerConnector.cc:743 "!callback" assertion.
+ - Bug 4330: Do not use SSL_METHOD::put_cipher_by_char to determine size of SSL hello ciphers
+ - Relicense ntlm_fake_auth.pl to GPLv2+
+ - Relicense smb_lm auth helper to GPLv2+
+ - Relicense SSPI helper to GPLv2+
+ - ... and several minor performance optimizations
+
+Changes to squid-3.5.9 (17 Sep 2015):
+
+ - Regression Bug 3618: ntlm_smb_lm_auth rejects correct passwords
+ - Bug 4309: incorrect extensions detection in SSL Hello messages
+ - Bug 4309: crash during Skype login
+ - Bug 4284: missing sanity checks for malloc
+ - Regression Fix: CONNECT request debugging 11,2 traces
+ - Regression Fix: Quieten UFS cache maintenance skipped warnings
+ - TLS: Support SNI on generated CONNECT after peek
+ - ... and some documentation updates
+
+Changes to squid-3.5.8 (02 Sep 2015):
+
+ - Regression Bug 4306: build portability fix in Kerberos helpers
+ - Bug 4302: IPFilter v5 transparent interception
+ - Bug 4301: compile errors with IPFilter interception
+ - Bug 4285 partial: %us is not supported in access.log
+ - Bug 4278: Docs: typo in the refresh_pattern freshness algorithm
+ - Bug 4242: compile errors with eCAP using clang-3.6
+ - Bug 3696: crash when client delay pools are activated
+ - Bug 3553: cache_swap_high ignored and maxCapacity used instead
+ - Regression Fix: FtpServer.cc:1024: "reply != NULL" assertion
+ - Fix ignore of impossible SSL bumping actions, as intended and documented
+ - Fix memory leak in Surrogate-Capability header detection
+ - Fix truncated body length when RESPMOD service aborts
+ - Reject non-chunked HTTP messages with conflicting Content-Length values
+ - Support splice for SSLv3 and TLSv1 sessions that start with an SSLv2 Hello
+ - ... and several portability and compile fixes
+ - ... and several documentation updates
+
+Changes to squid-3.5.7 (01 Aug 2015):
+
+ - Bug 4293: wrong SNI sent to server after URL-rewrite
+ - Bug 4251: incorrect instance name for memory segments in /dev/shm
+ - Bug 4227: invalid key in AuthUserHashPointer causing assertation failure
+ - Bug 3345: support %un (any available user name) format code for external ACLs.
+ - basic_smb_auth: Fix several old issues identified by Debian users
+ - Support ssl-bump splicing to origin cache_peer
+ - Fix SSL errors relayed using invalid certificates
+ - Fix crash in TcpAccepter with profiler enabled
+ - Fix some cases of ssl_crtd SSL certificate DB corruption
+ - Fix performance regression in SBuf::chop operations
+ - Improve handling of client connections on shutdown
+ - Handle exceptions during squid.conf parse
+ - Make pod2man an optional dependency
+ - ... and polishing for several cache.log notification messages
+ - ... and all fixes from squid 3.4.14
+
+Changes to squid-3.5.6 (03 Jul 2015):
+
+ - Bug 4274: ssl_crtd.8 not being installed
+ - Bug 4193: memory leak on FTP listings
+ - Bug 4183: segfault when freeing https_port clientca on reconfigure or exit
+ - Bug 3875: bad mimeLoadIconFile error handling
+ - Bug 3483: assertion failed store.cc:1866: 'isEmpty()'
+ - Bug 3329: pinned server connection is not closed properly
+ - TLS: Disable client-initiated renegotiation
+ - ext_edirectory_userip_acl: fix uninitialized variable
+ - Support custom OIDs in *_cert ACLs
+ - Fix CONNECT failover to IPv4 after trying broken IPv6 servers
+ - Use relative-URL in errorpage.css for SN.png
+ - Do not blindly forward cache peer CONNECT responses
+ - Fix assertion String.cc:221: "str"
+ - Fix assertion comm.cc:759: "Comm::IsConnOpen(conn)" in ConnStateData::getSslContextDone
+ - Translations: add Spanish US dialect alias
+
+Changes to squid-3.5.5 (28 May 2015):
+
+ - Regression Bug 4132: short_icon_urls with global_internal_static on
+ - Bug 4238: assertion Read.cc:205: "params.data == data"
+ - Bug 4236: SSL negotiation error of 'success'
+ - Bug 3930: assertion 'connIsUsable(http->getConn())'
+ - Fix assertion MemBuf.cc:380: "new_cap > (size_t) capacity" in SSL I/O buffer
+ - Fix assertion errorpage.cc:600: "entry->isEmpty()"
+ - Fix comm_connect_addr on failures returns Comm:OK
+ - Fix missing external ACL helper notes
+ - Fix "Not enough space to hold server hello message" error message
+ - Fix segmentation fault inside Adaptation::Icap::Xaction::swanSong
+ - Prevent unused ssl_crtd helpers being run
+ - ... and some code cleanup and portability updates
+ - ... and several documentation updates
+
+Changes to squid-3.5.4 (01 May 2015):
+
+ - Bug 4234: comm_connect_addr uses errno incorrectly
+ - Bug 4231: fd_open() not correctly handling UDS socket descriptions
+ - Bug 4226: digest_edirectory_auth: found but cannot be built
+ - Bug 4198: assertion failed: client_side.h:364: "sslServerBump == srvBump"
+ - Bug 3775: Disable HTTP/1.1 pipeline feature for pinned connections
+ - Fix require-proxy-header preventing HTTPS proxying and ssl-bump
+ - Fix Negotiate/Kerberos authentication request size exceeds output buffer size
+ - Fix SQUID_X509_V_ERR_DOMAIN_MISMATCH errors while accessing sites with valid certificates
+ - Add server_name ACL matching server name(s) obtained from various sources
+ - Add Kerberos support for MAC OS X 10.x
+ - Support for resuming TLS sessions
+ - ... and some portability and compile fixes
+ - ... and several documentation updates
+ - ... and all fixes from squid 3.4.13
+
+Changes to squid-3.5.3 (28 Mar 2015):
+
+ - Regression Bug 4213: negotiate_kerberos_auth: freeing non-dynamic memory
+ - Regression Bug 4206: Incorrect connection close on expect:100-continue
+ - Bug 4204: ./configure does not abort when required helpers cannot be built
+ - Bug 3805: support shared memory on MacOS X in Mem::IPC::Segment
+ - Bug 2907: high CPU usage on CONNECT when using delay pools
+ - basic_getpwnam_auth: fail authentication on crypt() failures
+ - basic_nis_auth: fail authentication on crypt() failures
+ - ext_kerberos_ldap_group_acl: Heimdal support improvements
+ - ext_wbinfo_group_acl: Perl 5.20 support
+ - ... and several compile issues
+
Changes to squid-3.5.2 (18 Feb 2015):
- Regression Bug 4176: Digest auth too many helper lookups
- ... and many error page translation updates
- ... and much code cleanup and polishing
+Changes to squid-3.4.14 (01 Aug 2015):
+
+ - Do not blindly forward cache peer CONNECT responses (CVE-2015-5400)
+
+Changes to squid-3.4.13 (01 May 2015):
+
+ - Bug 4212: ssl_crtd crashes with corrupt database
+ - ... and some documentation updates
+ - ... and all fixes from squid 3.3.14
+
Changes to squid-3.4.12 (18 Feb 2015):
- Bug 4066: Digest auth nonce indefinite rollover
- ... and many documentation changes
- ... and much code cleanup and polishing
+Changes to squid-3.3.14 (01 May 2015):
+
+ - Bug 4093: source-maintenance.sh errors and warnings due to wrong tools/options
+ - ... and some documentation updates
+ - ... and all fixes from squid 3.2.14
+
Changes to squid-3.3.13 (28 Aug 2014):
- Fix segmentation fault setting up server SSL connnection
- ... and many compile error fixes
- ... and a very large amount of code polish for faster compilation
+Changes to squid-3.2.14 (01 May 2015):
+
+ - Fix 'access_log none' to prevent following logs being used
+ - Fix X509 server certificate domain matching
+ - ... some documentation updates
+
Changes to squid-3.2.13 (13 Jul 2013):
- Bug 3869: assertion failed: MemBuf.cc:272: size < capacity